I have a C# ASP.NET Web service that takes in xml as a string. The xml gets loaded up into an XmlDocument and parsed. The problem I have is that the caller might be sending Xml inside my xml elements, which will fail schema validation for me. My question is this: what is the recommended approach for dealing with this type of situation? I imagine it is inline with input validation for the most part, but if anyone has some information around my scnario I would greatly appreciate it.
A:
Mr Burt,
Don't know this helps. We work on similar type of model where the xml message is passed in as a string. We create an XmlReader and then parse it against the schema. Our schema then handles the failure by passing back a reply message detail of the failure points. On Success we serialize the object and process it as normal.
Regards
Iain
Iain
2010-06-17 12:23:48
Sounds like you are basically doing the same thing I am doing. I was just interested in who is repsonsible for escaping the contents of certain elements, which is basically text. It sounds like it will have to be up to the caller in this case.
2010-06-23 19:24:56
We are getting feeds from a number of known parties, so the risk of XSS is very low, i looks like we are not encoding it, but in other projects i have run into the problem of double encoding, think get down to having a specification from the other party if they are encoding or not.
Iain
2010-06-24 08:36:59